nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Jenkins admin? Get buzzy patching, says Cloudbees

DevOps types are going to have to prioritise Ops for a bit to quash Java, login vulns

By Richard Chirgwin, 2 May 2017

Cloudbees's Jenkins needs a patch against a Java deserialisation vulnerability.

The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

  • Create a serialised object whose payload is a command executed by running the payload.jar script;
  • Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

The fix is published along with a number of other bug-fixes here.

Also fixed in the patch are various cross-site request forgery bugs, a login impersonation bug, and a Java crash-fix. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing